The present disclosure relates to the field of computers, and specifically to computers on a network. Still more particularly, the present disclosure relates to protecting hardware resources on a network.
Computer networks often include hardware resources (e.g., storage devices, actuators, sensors, etc.) that are accessible by a server computer and one or more client computers. The server computer often handles operations on behalf of the client computer, such as providing access to hardware resources, executing applications, providing memory and computing resources, etc. Such operations performed by the server often require a high level of trust between the client and the server and the hardware resources, which may or may not be warranted, due to insecure connections between the server and client, distrust of who is able to access the hardware resources, etc.
Current computing across a network and in “the cloud” (a network of shared hardware and/or software resources) has proved to be especially problematic in terms of security. A great majority of nefarious attacks on computer resources, servers, clients, etc. come through an attack on an operating system (O/S) on a device, or an attack directly on an application running on the device (e.g., by using a structured query language—SQL injection and buffer overflow associated with buffer(s) used by the application). Current protection mechanisms are dependent upon pre-discovering potential exposures and constant and instant patches (software improvements). This results in a high risk quotient and need for additional supporting workload.
Various approaches to protecting resources on a network have been proposed in the prior art.
For example, U.S. Patent Application Publication No. 2005/0114663 filed by Cornell et al., teaches the use of encryption keys that are embedded in the hardware of the first connection point and the trusted partner, in order to encrypt network traffic that can be sent on the trusted link. By embedding the encryption keys in the hardware, as opposed to implementing the encryption keys in software, the encryption algorithm can be made more secure and efficient. However, such embedded keys are not scalable, and thus are not practical if access is attempted to large numbers of connection points. Furthermore, this approach does not protect access to non-computing hardware devices.
In another example of the relevant prior art, U.S. Pat. No. 8,745,373 issued to Molsberry et al. teaches a system of selectively encrypting inbound data on the basis of an encryption policy, which specifies what kind of encryption to apply, using the provided instructions. This approach optimizes resource usage by only encrypting when necessary, but does not provide protection of access to hardware devices.
In another example of the relevant prior art, WIPO patent application WO 2004/025472 filed by Wholepoint Corporation (Inventors Ocepek et al.) teaches a method and apparatus for controlling data link layer access to protected servers on a computer network by a client device. If the client device is unknown, then restriction address resolution replies are transmitted to the protected devices to restrict access by the client device. If an authentication server determines that the client device is unauthorized, then access by the client device to all other network devices is blocked. This approach still does not protect access to hardware devices with the level of security that is often required.
Thus, the present invention provides a new and novel solution to these and other problems found in the prior art.